DevSecOps is the concept and practice of integrating security into the DevOps cycle. The idea is to bring the different phases of security into the DevOps model and try to automate the entire process, so security is integrated directly into the initial application builds.
In this post, we’ll take a closer look at how to integrate security tools into the various phases of the DevSecOps cycle. We’ll focus here on Rapid7 tools like InsightVM, InsightAppSec, and InsightOps; the same principles apply to integrating other open-source security tools into the process.
In this simple, three-step setup, we’ll use Gitlab as the Version Control System and Jenkins as the build automation server. (Before getting started, you’ll need to have the integration between Gitlab and Jenkins completed.)
We’ll be using a simple declarative script in our pipeline, as follows:
pipeline {agent any
stages {
stage("build") {
steps {
echo "This is a build step"
}
}
stage("test") {
steps {
echo "This is a test step"
}
}
stage("release") {
steps {
echo "This is an integration step"
sh "exit 1"
Step 1: Integrate InsightAppSec
First, we’ll include the InsightAppSec Scan in the pipeline. Ideally, this would be in the DAST stage.
To get started, we’ll install the InsightAppSec Plugin. We’ll need a few more details on hand, like the Scan Configuration ID and the steps integrate rapid7 products devsecops cycle
